Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 14:41
Static task
static1
Behavioral task
behavioral1
Sample
e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
Resource
win7-20240319-en
General
-
Target
e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe
-
Size
6.3MB
-
MD5
a36d41f2e8210c0da3814b8e9a15500d
-
SHA1
e3fba49fd246e3580bca587982a0f9ee820a582d
-
SHA256
e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d
-
SHA512
66d27c8d3fe43ffd0e3d10b70a6e9fdbf8ccc7d22efd0db98d7113330d85653f6d25a347dc9030f114322ba0cb348c0580ca96fdf7cdfc2873e43eaba1d51b79
-
SSDEEP
98304:HyBEvyd0JkMzAo/Tsl03kxD7EhHwwsrfYbQa8vCMTXeXgAg:S0JkMzAo/Th0xD7Kts0t8vLX5Ag
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation DocumentSaver.exe -
Executes dropped EXE 1 IoCs
pid Process 3040 DocumentSaver.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 DocumentSaver.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1816 wrote to memory of 3040 1816 e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe 88 PID 1816 wrote to memory of 3040 1816 e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe 88 PID 3040 wrote to memory of 2116 3040 DocumentSaver.exe 99 PID 3040 wrote to memory of 2116 3040 DocumentSaver.exe 99 PID 3040 wrote to memory of 1364 3040 DocumentSaver.exe 101 PID 3040 wrote to memory of 1364 3040 DocumentSaver.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe"C:\Users\Admin\AppData\Local\Temp\e5c85df9a9b6f84f76c64b41c07a4f52f16a373eae80c713765a5cf43ced3e8d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del SQLite.Interop.dll3⤵PID:2116
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\DocumentSaver.exe3⤵PID:1364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5cf7eb797b63e8322269eb8281975af53
SHA1beff0874841fc49e458f9fbfb04664143535bf32
SHA256710faabf217a5cd3431670558603a45edb1e01970f2a8710514c2cc3dd8c2424
SHA512a22e79c05cb3848a8810cfa18380b7bd7af31b4b5b5c816710bfd6950f0c2d69c20db78a319ce3134b302033d1209868eff4d46e9fbcf2066a2e10f9c23f64f5
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7